A Denial-of-Service type of security issue in QDom classes of Qt XML module has been discovered and has been assigned the CVE id CVE-2025-30348.
Affected versions: Up to 5.15.18, 6.0.0 to 6.5.8, and 6.6.0 to 6.7.3.
Impact: When QDom classes are used to write XML with long text segments, QDomNode::save() could hit a quadratic-complexity code path, potentially leading to a DoS if an attacker can control the rate and contents of XML serializations performed by the application, e.g. if the application packages attacker-supplied text in XML, including reading XML, changing it, and writing it back.
To mitigate the issue, we advise to enforce implementation limits on the size of text and attributes accepted into QDom or port the application to QXmlStreamReader/Writer.
Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.0 or 6.5.9 or 5.15.19
Patches:
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/627439 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-30348-qtbase-6.5.diff
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/632061 or https://download.qt.io/official_releases/qt/5.15/CVE-2025-30348-qtbase-5.15.diff
